RE: Complex NAT problems /sorry for the formated text

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
To: "CPD - David Cardeñosa Rubio" <dcardenosa@cac.retecal.es>
Cc: netfilter@lists.netfilter.org
Subject: RE: Complex NAT problems /sorry for the formated text
Date: Thu, 20 May 2004 10:07:18 -0400	[thread overview]
Message-ID: <1085062037.22574.5.camel@localhost> (raw)
In-Reply-To: <7528A97D83FBD411BEF40003471B905B05D8FF10@smtp.retecal.es>

On Thu, 2004-05-20 at 07:45, CPD - David Cardeñosa Rubio wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
>  
> 
> Hi 
> 
> I have a strage problem with iptables NAT 
> 
> I try to join 2 net with the same ip. 
> 
> 
> fwinet-2:~# iptables -L -n -t nat -v 
> Chain PREROUTING (policy ACCEPT 41232 packets, 2376K bytes) 
>  pkts bytes target     prot opt in     out     source              
> destination 
>    94  4743 NETMAP     all  --  eth2   *       172.0.0.0/8         
> 172.20.4.0/24       172.16.4.0/24 
>     7   420 NETMAP     all  --  eth1   *       172.16.4.0/24       
> 172.20.3.0/24       172.16.33.0/24 
> 
> Chain POSTROUTING (policy ACCEPT 21845 packets, 1167K bytes) 
>  pkts bytes target     prot opt in     out     source              
> destination 
>     0     0 NETMAP     all  --  *      eth1    172.16.33.0/24      
> 172.16.4.0/24       172.20.3.0/24 
>   654 33367 NETMAP     all  --  *      eth2    172.16.4.0/24       
> 172.0.0.0/8         172.20.4.0/24 
>     0     0 SNAT       all  --  *      eth0    172.16.0.0/16       
> 0.0.0.0/0           to:192.168.8.6 
>     0     0 SNAT       all  --  *      eth0    172.40.40.0/22      
> 0.0.0.0/0           to:192.168.8.6 
>     0     0 SNAT       all  --  *      eth0    172.60.60.0/24      
> 0.0.0.0/0           to:192.168.8.6 
>   394 32515 SNAT       all  --  *      eth0    10.152.24.100       
> 0.0.0.0/0           to:192.168.8.6 
>     0     0 MASQUERADE  all  --  *      eth1    0.0.0.0/0           
> 172.16.4.14 
> 
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) 
>  pkts bytes target     prot opt in     out     source              
> destination 
> 
> 
> The 1º rule in POSTROUTING table don´t work, the packets go to the
> inteface eth1 with the original ip, i have the same problem for the
> other NETMAP rules(i also try with SNAT/DNAT) but when y reboot de
> firewall the rules apply correctly.
> 
> This only happend when modify the rules and no reboot, if reboot and
> load the firewall script (with the new rules) all work ok.
> 
> 
> fwinet-2:~# tcpdump -i eth2 -n icmp 
> tcpdump: listening on eth2 
> 13:25:38.157106 172.16.33.1 > 172.20.4.11: icmp: echo request 
> 13:25:39.158705 172.16.33.1 > 172.20.4.11: icmp: echo request 
> 
> fwinet-2:~# tcpdump -i eth1 -n icmp 
> tcpdump: listening on eth1 
> 13:25:43.163094 172.16.33.1 > 172.16.4.11: icmp: echo request 
> 
> It´s very strange. 
> 
> fwinet-2:~# uname -a 
> Linux fwinet-2 2.4.26 #2 Mon May 17 21:11:05 CEST 2004 i686 unknown 
<snip>
I can't give you an easy answer but I can suggest some process.  Have
you compared the rule listings before and after a change? Have you
placed logging rules within your rule set to see where the packets are
being unexpectedly accepted or dropped?
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net

     prev parent reply	other threads:[~2004-05-20 14:07 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-05-20 11:45 Complex NAT problems /sorry for the formated text CPD - David Cardeñosa Rubio
2004-05-20 14:07 ` John A. Sullivan III [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1085062037.22574.5.camel@localhost \
    --to=john.sullivan@nexusmgmt.com \
    --cc=dcardenosa@cac.retecal.es \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox